From 6ae1c8cd8890ccfb8fffb484bec1ec08a23eb1d3 Mon Sep 17 00:00:00 2001
From: rohow <admin@dev.cm>
Date: Mon, 20 Apr 2026 14:41:19 +0800
Subject: [PATCH] feat(kustomization): add recovery configuration and namespace
 for GitOps

---
 .gitignore                                    |  3 +++
 README.md                                     | 11 ++++++++
 .../infra-data-post/cnpg17-cluster-hk.yaml    | 14 ++++++++++
 .../infra-data-post/cnpg17-cluster-sh.yaml    | 14 ++++++++++
 flux/clusters/dev-cm/kustomization.yaml       |  4 +++
 flux/clusters/dev-cm/patches/kube-system.yaml | 26 +++++++++++++++++++
 flux/flux-instance.yaml                       |  3 ++-
 helmcharts/namespace.yaml                     |  4 +++
 8 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 flux/clusters/dev-cm/patches/kube-system.yaml
 create mode 100644 helmcharts/namespace.yaml

diff --git a/.gitignore b/.gitignore
index 0cebe52..45da160 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,9 @@ logs
 
 # Secrets
 .env
+flux-git-auth
+flux-git-auth.pub
+known_hosts
 
 # Editor directories and files
 .vscode/*
diff --git a/README.md b/README.md
index a09d304..4e687b1 100644
--- a/README.md
+++ b/README.md
@@ -7,3 +7,14 @@
 #### 应用相关
 
 参见 [flux/README.md](flux/README.md)
+
+`
+ssh-keygen -t ed25519 -C "flux" -f ./flux-git-auth -N ""
+
+ssh-keyscan github.com > ./known_hosts
+
+kubectl -n infra-gitops create secret generic flux-git-auth \
+ --from-file=identity=./flux-git-auth \
+ --from-file=identity.pub=./flux-git-auth.pub \
+ --from-file=known_hosts=./known_hosts
+`
diff --git a/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml b/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml
index ed56381..3d166d0 100644
--- a/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml
+++ b/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml
@@ -18,6 +18,20 @@ spec:
       value: when_required
     - name: AWS_RESPONSE_CHECKSUM_VALIDATION
       value: when_required
+  # >>> RECOVERY: 迁移完成后删除 bootstrap + externalClusters 段 <<<
+  bootstrap:
+    recovery:
+      source: recovery-source-hk
+      recoveryTarget:
+        targetTime: "2026-04-13 00:00:01.000000+00"
+  externalClusters:
+    - name: recovery-source-hk
+      plugin:
+        name: barman-cloud.cloudnative-pg.io
+        parameters:
+          barmanObjectName: cnpg17-objectstore-hw
+          serverName: cnpg17-cluster-hk
+  # <<< END RECOVERY >>>
   plugins:
     - name: barman-cloud.cloudnative-pg.io
       isWALArchiver: true
diff --git a/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml b/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml
index a48af91..99abaa9 100644
--- a/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml
+++ b/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml
@@ -18,6 +18,20 @@ spec:
       value: when_required
     - name: AWS_RESPONSE_CHECKSUM_VALIDATION
       value: when_required
+  # >>> RECOVERY: 迁移完成后删除 bootstrap + externalClusters 段 <<<
+  bootstrap:
+    recovery:
+      source: recovery-source-sh
+      recoveryTarget:
+        targetTime: "2026-04-13 00:00:01.000000+00"
+  externalClusters:
+    - name: recovery-source-sh
+      plugin:
+        name: barman-cloud.cloudnative-pg.io
+        parameters:
+          barmanObjectName: cnpg17-objectstore-hw
+          serverName: cnpg17-cluster-sh
+  # <<< END RECOVERY >>>
   plugins:
     - name: barman-cloud.cloudnative-pg.io
       isWALArchiver: true
diff --git a/flux/clusters/dev-cm/kustomization.yaml b/flux/clusters/dev-cm/kustomization.yaml
index 54f03fa..91e4b35 100644
--- a/flux/clusters/dev-cm/kustomization.yaml
+++ b/flux/clusters/dev-cm/kustomization.yaml
@@ -3,6 +3,10 @@ kind: Kustomization
 resources:
   - ../base
 patches:
+  - target:
+      kind: Kustomization
+      name: kube-system
+    path: patches/kube-system.yaml
   - target:
       kind: Kustomization
       name: infra-devops
diff --git a/flux/clusters/dev-cm/patches/kube-system.yaml b/flux/clusters/dev-cm/patches/kube-system.yaml
new file mode 100644
index 0000000..1449712
--- /dev/null
+++ b/flux/clusters/dev-cm/patches/kube-system.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kube-system
+spec:
+  patches:
+    - target:
+        kind: Deployment
+        name: "(coredns|local-path-provisioner|metrics-server)"
+      patch: |
+        spec:
+          template:
+            spec:
+              affinity:
+                nodeAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    nodeSelectorTerms:
+                      - matchExpressions:
+                          - key: node-role.kubernetes.io/control-plane
+                            operator: In
+                            values:
+                              - "true"
+              tolerations:
+                - key: node-role.kubernetes.io/control-plane
+                  operator: Exists
+                  effect: NoSchedule
diff --git a/flux/flux-instance.yaml b/flux/flux-instance.yaml
index 2fd945a..f17837a 100644
--- a/flux/flux-instance.yaml
+++ b/flux/flux-instance.yaml
@@ -23,11 +23,12 @@ spec:
     class: "local-path"
     size: "10Gi"
   # Git 仓库同步配置 - 请将 url 替换为实际的 deploy 仓库地址
+  # 恢复模式: 先用 restore profile 部署 Velero，恢复 PVC 后切回 dev-cm
   sync:
     kind: GitRepository
     url: ssh://git@github.com/devcm-repo/k3s.git
     ref: refs/heads/main
-    path: flux/clusters/dev-cm
+    path: flux/clusters/restore
     pullSecret: flux-git-auth
     name: flux
   kustomize:
diff --git a/helmcharts/namespace.yaml b/helmcharts/namespace.yaml
new file mode 100644
index 0000000..ef36432
--- /dev/null
+++ b/helmcharts/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-gitops